Container Service for Kubernetes (ACK) allows you to register external Kubernetes clusters with ACK to build a hybrid cloud environment. You can create a cluster registration proxy and use the proxy to register a Kubernetes cluster that is deployed in a data center or on a third-party cloud. This way, you can manage your clusters in Alibaba Cloud Distributed Cloud Container Platform (ACK One) in a centralized manner. This topic describes the precautions for using registered clusters.

Data security

  • The ack-cluster-agent component deployed in Kubernetes clusters that are registered with ACK only reads cluster version and node information from the clusters. The component does not write data to the registered clusters or affect other components.
  • If you register a Kubernetes cluster in data center with ACK by using the public endpoint of the API server, we recommend that you configure access control for the Server Load Balancer (SLB) of the API server that listens on port 6443. This helps avoid potential security risks. For more information, see Enable access control.

Component management

You can sink middleware capabilities, such as log collection, monitoring, and alerting, from Alibaba Cloud to Kubernetes clusters that are registered with ACK. However, you may need to authorize some middleware to access specific cloud resources before you use the corresponding capabilities. To perform authorization, provide your AccessKey information, grant the middleware permissions to access the required cloud resource, and create a Secret named alibaba-addon-secret to store your AccessKey information. For more information, see Grant permissions to a registered cluster.

Node pools

You can use the node pool feature to scale out the number of Elastic Compute Service (ECS) nodes in a Kubernetes cluster that is registered with ACK. For the node pool feature to work as normal, make sure that the following requirements are met:

  • The Kubernetes cluster is registered with ACK by using the internal endpoint of the API server.
  • Make sure that the on-premises container network plug-in runs only in the on-premises network and the Terway plug-in runs only on ECS instances.
  • The script that is used to initialize the nodes in the Kubernetes cluster is prepared.


  • When you register an external Kubernetes cluster (a self-managed or third-party cluster), make sure that the network between the cluster and Alibaba Cloud is stable. When the external Kubernetes cluster accesses resources on Alibaba Cloud over the Internet, stability issues such as timeouts may occur.
  • You cannot create or use LoadBalancer Services in registered clusters.


The version, cluster initialization method, and node configurations of external Kubernetes clusters are different from those of ACK clusters. For example, the default node configuration file path or port used by components such as Container Storage Interface (CSI) and MetricServer are different from the configurations of external Kubernetes clusters. As a result, the components may fail to run as normal in these external Kubernetes clusters. Therefore, the stability of these components is a shared responsibility between you and ACK.